From 79f0a6dee328ce033d23659545f4f2bb9964732c Mon Sep 17 00:00:00 2001 From: celeste1900 <253458269+celeste1900@users.noreply.github.com> Date: Fri, 3 Jul 2026 17:55:24 +0800 Subject: [PATCH] Add org-wide SECURITY.md Private vulnerability-report channel (hi@ofox.ai) inherited by all public repos without their own SECURITY.md. Co-Authored-By: Claude Fable 5 --- SECURITY.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..276b74d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,20 @@ +# Security Policy + +## Reporting a vulnerability + +Please report security issues privately to **hi@ofox.ai** — do not open a +public issue. Include what you found, how to reproduce it, and the potential +impact. + +We'll acknowledge your report within 48 hours and keep you updated on the fix. + +## Scope + +This policy covers the ofox API gateway (`api.ofox.ai`), the dashboard +(`app.ofox.ai`), and all public repositories in this organization. A repository +with its own `SECURITY.md` follows that file instead. + +## Handling API keys + +If you believe an ofox API key has been exposed, rotate it immediately from +your dashboard and let us know at the address above.